name: Semgrep

on:
  pull_request: {}
  # Skipping push for now since it would run against the entire code base.
  # push:

jobs:
  semgrep:
    name: Semgrep Scan
    runs-on: ubuntu-latest
    env:
      SEMGREP_SEND_METRICS: 0
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - uses: returntocorp/semgrep-action@245bf11ddb2f3d4e35f116608cf6e27ae0f9aa04 # v1